From 543e1e22c302e02cc311fd4e1320c6d758b2f6c4 Mon Sep 17 00:00:00 2001
From: Michael Brown <supermathie@gmail.com>
Date: Wed, 8 Apr 2020 21:47:28 -0400
Subject: [PATCH] Prevent unused packages from being pulled into the base image

* e.g. X11 libraries, mysql libraries, mailutils, NTLM libraries
---
 image/base/Dockerfile    | 9 ++++++---
 image/base/install-nginx | 6 ++----
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/image/base/Dockerfile b/image/base/Dockerfile
index e669ae3..0e6252a 100644
--- a/image/base/Dockerfile
+++ b/image/base/Dockerfile
@@ -28,14 +28,17 @@ RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ buster-pgdg main" | \
         tee /etc/apt/sources.list.d/postgres.list
 RUN curl --silent --location https://deb.nodesource.com/setup_10.x | sudo bash -
 RUN apt -y update
-RUN apt -y install build-essential git wget rsync \
+# install these without recommends to avoid pulling in e.g.
+# X11 libraries, mailutils
+RUN apt -y install --no-install-recommends git rsyslog logrotate cron ssh-client
+RUN apt -y install build-essential rsync \
                        libxslt-dev libcurl4-openssl-dev \
                        libssl-dev libyaml-dev libtool \
                        libxml2-dev gawk parallel \
                        postgresql-${PG_MAJOR} postgresql-client-${PG_MAJOR} \
                        postgresql-contrib-${PG_MAJOR} libpq-dev libreadline-dev \
-                       cron anacron \
-                       psmisc rsyslog vim whois brotli libunwind-dev \
+                       anacron wget \
+                       psmisc vim whois brotli libunwind-dev \
                        libtcmalloc-minimal4 cmake
 RUN sed -i -e 's/start -q anacron/anacron -s/' /etc/cron.d/anacron
 RUN sed -i.bak 's/$ModLoad imklog/#$ModLoad imklog/' /etc/rsyslog.conf
diff --git a/image/base/install-nginx b/image/base/install-nginx
index 7b91333..3c5ede9 100755
--- a/image/base/install-nginx
+++ b/image/base/install-nginx
@@ -22,10 +22,8 @@ curl -O https://nginx.org/download/nginx-$VERSION.tar.gz
 tar zxf nginx-$VERSION.tar.gz
 cd nginx-$VERSION
 
-# so we get nginx user and so on
-apt install -y nginx libpcre3 libpcre3-dev zlib1g zlib1g-dev
-# we don't want to accidentally upgrade nginx and undo our work
-apt-mark hold nginx
+# nginx-common for boilerplate files etc.
+apt install -y nginx-common libpcre3 libpcre3-dev zlib1g zlib1g-dev
 
 # now ngx_brotli has brotli as a submodule
 cd /tmp/ngx_brotli && git submodule update --init && cd /tmp/nginx-$VERSION
-- 
2.25.1